crowdstrike/ioc Dashboards

Domain overview

The Domain Overview dashboard provides comprehensive domain-based threat analysis through detailed monitoring visualizations. This dashboard enables tracking of suspicious domains, investigation of domain-based threats, and monitoring of domain activity patterns across the network infrastructure.
IP overview

The IP Overview dashboard presents comprehensive IP-based threat intelligence through detailed analysis visualizations. This dashboard enables monitoring of suspicious IP addresses, tracking of malicious network activities, and investigation of IP-based security events across the environment.
Overview

The Overview dashboard provides a consolidated view of threat indicators through comprehensive security visualizations. This dashboard enables monitoring of various threat types, analysis of security trends, and tracking of indicator patterns across the security landscape.
URL overview

The URL Overview dashboard presents detailed URL-based threat analysis through specialized monitoring visualizations. This dashboard enables tracking of malicious URLs, investigation of web-based threats, and monitoring of suspicious web activity patterns across the network.

Domain overview

The Domain Overview dashboard provides comprehensive domain-based threat analysis through detailed monitoring visualizations. This dashboard enables tracking of suspicious domains, investigation of domain-based threats, and monitoring of domain activity patterns across the network infrastructure.

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`

IP overview

The IP Overview dashboard presents comprehensive IP-based threat intelligence through detailed analysis visualizations. This dashboard enables monitoring of suspicious IP addresses, tracking of malicious network activities, and investigation of IP-based security events across the environment.

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`

Overview

The Overview dashboard provides a consolidated view of threat indicators through comprehensive security visualizations. This dashboard enables monitoring of various threat types, analysis of security trends, and tracking of indicator patterns across the security landscape.

Widget	Description	Type
Threat attributes	Displays a flow chart of threat attributes based on URL, IP and domain data. Hide Query Show Query logscale \| ioc:lookup([/insert field names containing URLs here/], type="url", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing IP addresses here/], type="ip_address", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing domains here/], type="domain", strict="false", confidenceThreshold=?threshold) \| ioc.detected = true \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<label>^[^\/]+)\/(?<value>.+)$") \| sankey(source="label", target="value")	`Sankey`
Threat severity over time	Displays threat severity over time using URL, IP address, and domain. Hide Query Show Query logscale `\| ioc:lookup([/insert field names containing URLs here/], type="url", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing IP addresses here/], type="ip_address", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing domains here/], type="domain", strict="false", confidenceThreshold=?threshold) \| ioc.detected = true \| split("ioc") \| timechart(ioc.malicious_confidence, span=1h)`	`Time Chart`
Threats by confidence	Displays a list of threats by confidence level based on URLs, IP addresses, and domains. Hide Query Show Query logscale `\| ioc:lookup([/insert field names containing URLs here/], type="url", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing IP addresses here/], type="ip_address", strict="false", confidenceThreshold=?threshold) \| ioc:lookup([/insert field names containing domains here/], type="domain", strict="false", confidenceThreshold=?threshold) \| ioc.detected = true \| split("ioc") \| groupBy(["ioc.malicious_confidence"])`	`Pie Chart`
Guide	Please use these dashboards as inspiration on building your own security insights. To get started, edit the queries in the widget to insert the right field names you want to look up IOC matches on.	`Note`

URL overview

The URL Overview dashboard presents detailed URL-based threat analysis through specialized monitoring visualizations. This dashboard enables tracking of malicious URLs, investigation of web-based threats, and monitoring of suspicious web activity patterns across the network.

Widget	Description	Type
IOC geolocation	Location of client IP addresses present in IOC. Note - location of client IP does not always correlate with actual physical location of user or system Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| worldMap(ip=client_ip) // location of malicious client IP's`	`World Map`
Threat types	Pie chart showing breakdown of threat types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^ThreatType\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Threat relationships	Links client IP IOC labels to the different values of each label Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(?<category>^[^\/]+)\/(?<value>.+)$") \| sankey(source="category",target="value") // threat relationships`	`Sankey`
Actors	Pie chart showing breakdown of threat actors (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Actor\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
Kill chains	Pie chart showing breakdown of kill chain values (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^KillChain\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
All threat details	Detailed information of all threats found in client IPs Hide Query Show Query logscale #logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| "ioc.malicious_confidence" match { unverified => icon := "\u2139 " ; low => icon := "\u2B07 " ; medium => icon := "\u26A0 " ; high => icon := "\u2757 " ; * => icon := " " ; } // icons to display for each malicious confidence \| concat(["icon", "ioc.malicious_confidence"], as="ioc.malicious_confidence") \| now := now() \| ioc_age := now - ioc.last_updated \| formatDuration(ioc_age, precision=2, as="ioc.age") \| groupBy(["ip_addr_IOC", "#repo", "ioc.type", "ioc.indicator", "ioc.malicious_confidence", "ioc.published_date", "ioc.last_updated", "ioc.age", "ioc.labels"]) // // all information regarding malicious client IP's \| formatTime(field="ioc.published_date", as="ioc.published_date", format="%Y-%m-%d %H:%M:%S") \| formatTime(field="ioc.last_updated", as="ioc.last_updated", format="%Y-%m-%d %H:%M:%S")	`Table`
Malware	Pie chart showing breakdown of malware types (linked to client IP) Hide Query Show Query logscale `#logtype = "apache-access-log" or #logtype = "apache-error-log" \| ioc:lookup(["client_ip"], type="ip_address", strict=true, confidenceThreshold=?threshold) // ioc search for client IP with threshold parameter \| split("ioc") \| splitString(field="ioc.labels", by=",", as="ioc.labels") \| split("ioc.labels") \| regex(field="ioc.labels", regex="(^Malware\\/(?<value>.+)$)") \| groupBy(value)`	`Pie Chart`
note-1624965575450	# All Details The table below shows details of all the threats found, irrespective of the threshold filter applied. Click on the various aspects of these results to drill down into the raw events	`Note`

Versions of this Page

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

crowdstrike/ioc Dashboards

Domain overview

IP overview

Overview

URL overview

Enter search term